cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

logon CMC "Account Information Not Recognized: Access is denied"

Go to solution
Former Member

on ‎05-26-2010 1:44 PM

0 Kudos

BO XI R3

We are experiencing this really strange phenomenon.

We have AD authentication enabled which worked fine until some persons start complaining they got the error "Account Information Not Recognized: Access is denied" when trying to logon to the CMC.

It sounded as a normal lack of rights. However after some investigation i don't have any clue.

1) i checked the user and its memberships. Then i checked access to the CMC -> OK

details inheritance:

- BO group 1

- BO group 2

- BO group 3

-AD group 4

-user1

rights to logon to CMC are given on BO group 3 level

2) password of the user was correct (because otherwise you'll get another error: Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are ...)

3) another user (member of another AD group) could logon with AD authentication to the CMC, so no existing problems with AD authentication

4) i added an enterprise alias to the AD user1 account in BO to exclude rights problem ->SUCCESS, user could logon to CMC with enterprise auth. ==> definitely no rights problem

5) i asked other members of AD group4 to try to logon to CMC with AD credentials -> they all experience the same problems (Access denied)

6) then i thought there might be something wrong with the ADgroup linking. I removed the Ad group, updated Windows Ad auth and re-added, updated again. I then re-linked this AD group to the BO group 3. => problem persists.

7) an ultimate test (however i was pretty sure no rights issue was involved, see 4)), i added the user to the administrators group -> could login in CMC with Ad auth????

😎 as this environment was a migration of our R2 environment, we had another R3 environment which had exactly the same R2 source => no problems with AD authentication over there?!!

Anyone a clue?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member59613
Contributor
‎05-26-2010 10:44 PM
0 Kudos

Hi Tom,

My first thought is that there must be an explicit deny in one of the groups that this user is a member of. An explicit deny overtakes any not specified, or explicit grants.

The CMC has a new Query Results section that has Security Queries that you can carry out. You could try using that to determine the rights.

Also, if you go to CMC/Applications/CMC/User Security, you should be able to add the user specifically and then do a view security to see what the combined rights are for that user.

It's got to be a right of some sort that is propogating down. The strange thing is that you state that adding the user to the Administrators group resolves this issue. This means that the right must be not specified at some level because if it was denied, even adding them to the administrators group wouldn't matter.

Thanks

Jonathan

Show replies
Show replies

Answers (4)

Answers (4)

Former Member
‎06-01-2010 12:46 PM
0 Kudos

Txs all for the replies. After doing extensive checks and re-checks, i finally was able to find the problem.

It appeared to be linked to security rights after all:

USER top-level -> 

Edit the object (that the user owns)

was missing.

Apparently this right is only needed when you login with AD-auth (why?) and not with enterprise-account.

Show replies
Show replies
Former Member
‎06-28-2010 9:50 AM
0 Kudos

Thanks Tom!

Had the same error. But some folks were able to login to InfoView but not to DESKI.

ciao Hakan

Former Member
‎05-29-2010 1:51 AM
0 Kudos

Hi Tom,

I would suggest you recheck your WIndows AD configuration step by step. Check the service principal name first. Check if its been created properly and delegated service rights on the BOBJ server machine. Check its bindings. The documentation contains detailed steps for the configuration AD authentication. Recheck and reapply each one of those. I had encountered a similar problem once while migration and Rechecking and reapplying everything solved it for me. And do maintain a log of all your activities including that of the webserver.

Edited by: Abdul Khalid on May 29, 2010 2:51 AM

Show replies
Show replies
Former Member
‎05-27-2010 9:55 AM
0 Kudos

Txs Jonathan and Tim for the feedback, but

- restart CMS did not solve the problem

- i seriously doubt that missing rights might be the problem (however the administrator thing remains very strange) as i listed in 4) i used the same user: once with AD auth -> Not OK and once with enterprise auth (alias) -> OK

Is there a way on activating/opening more detailed logging on this error?

Show replies
Show replies
former_member59613
Contributor
‎05-31-2010 5:15 PM
0 Kudos

You can enable a trace on the CMS. This will give you detailed information about the Windows AD authentication portion. To do this, you can add a -trace to the command line of the CMS, or to enable a live trace, follow this note:

1335757 - Enabling and disabling tracing in XI 3.1 for specific services without requiring a restart

https://service.sap.com/notes/

Thanks

Jonathan

BasicTek
Advisor
Advisor
‎05-27-2010 2:56 AM
0 Kudos

Also you may want to try restarting the CMS, if it worked before possibly the AD graph has somehow cached bad info. Restarting the CMS will build a new graph.

Regards,

Tim

Show replies
Show replies
Ask a Question